Tuesday, 11 March 2014

There has
been a lot of media attention attracted by the FIDO Alliance, an organisation
that is attempting to change the nature of online authentication through
standards and I have been following the developments with interest.

FIDO has had
a successful start to its history with some of the largest names in technology,
PayPal, Google, Microsoft, Synaptics (Validity Sensors), Lenovo, RSA and
MasterCard to name a few, playing a role in developing the standards that were
recently made public.

A number of
the FIDO members have already showcased FIDO Ready™ devices at this year’s
trade shows including CES, MWC and RSA Conference 2014. Solutions from AGNITiO,
GO-Trust, Infineon, Fingerprint Cards, Yubico, Synaptics (Validity Sensors) and
Nok Nok Labs have all been shown to demonstrate how FIDO can be implemented at
the endpoint.

And with
Samsung announcing its new flagship S5 smartphone at MWC 2014 with an
integrated fingerprint sensor linked to PayPal’s FIDO Ready™ mobile payments
app we will soon see how the FIDO standards operate in the real world.

Samsung is
also planning to open up the fingerprint sensor to third parties using its new
Pass API and there is a possibility that the FIDO components will be available
for developers to build mobile-based multi-factor authentication enabled applications;
a very promising move.

I expect to see more clients and
devices being launched throughout 2014 that are FIDO Ready™. These FIDO enabled
devices will run a Multifactor Authentication Client (MFAC) that supports
FIDO’s Universal Authentication Framework Protocol (UAF) and interfaces with a FIDO
server.

Currently,
Nok Nok Labs is the only provider of both the FIDO Ready™ client and server components
with its S3 Authentication Suite.

The device
OEM (could be a smartphone, a tablet or a Windows PC) would pre-install the
MFAC and then a service provider, the Relying Party, (could be a financial
services provider or a mobile network operator running it on an Authentication
as a Service basis) would run the MFAS.

The MFAS has
the capability of interfacing with policy and risk engines (including Risk
Based Authentication) and also federated identity providers to link the client
identity with multiple online services – brokering identity using strong mobile
based MFA.

Over the past
five years, we have witnessed a lot of development in the ‘last mile’ of
authentication and identity assurance; standards such as SAML and OpenID have
introduced a framework in which user identities can be shared amongst online
services.

The FIDO
Alliance and Nok Nok Labs are attempting to standardise the ‘first mile’ of
authentication – an event at the beginning of the authentication process
proving that an authorised person is allowed access to a digital service or to
authorise a transaction.

These are
early days for FIDO and Nok Nok Labs but I firmly believe that they are
establishing the building blocks for agile omni-channel authentication and
identity verification that will have an important part to play in improving the
levels of trust in an open connected world.